Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qubes-firewall: handle only traffic originating from VMs

Browse Source 
Ignore packets coming from non-vif interfaces early.

Fixes QubesOS/qubes-issues#3644
This commit is contained in:
Marek Marczykowski-Górecki 2018-04-03 01:01:56 +02:00
parent c281d6454f
commit 53c9b45c76
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
qubesagent/firewall.py
View File

@ -370,8 +370,12 @@ class IptablesWorker(FirewallWorker):
# starting qubes-firewall # starting qubes-firewall
try: try:
self.run_ipt(4, ['-F', 'QBS-FORWARD']) self.run_ipt(4, ['-F', 'QBS-FORWARD'])
self.run_ipt(4,
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP']) self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
self.run_ipt(6, ['-F', 'QBS-FORWARD']) self.run_ipt(6, ['-F', 'QBS-FORWARD'])
self.run_ipt(6,
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP']) self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
except subprocess.CalledProcessError: except subprocess.CalledProcessError:
self.log_error('\'QBS-FORWARD\' chain not found, create it first') self.log_error('\'QBS-FORWARD\' chain not found, create it first')
@ -579,6 +583,7 @@ class NftablesWorker(FirewallWorker):
' type filter hook forward priority 0;\n' ' type filter hook forward priority 0;\n'
' policy drop;\n' ' policy drop;\n'
' ct state established,related accept\n' ' ct state established,related accept\n'
' meta iifname != "vif*" accept\n'
' }}\n' ' }}\n'
'}}\n' '}}\n'
) )

14
qubesagent/test_firewall.py
View File

@ -271,10 +271,14 @@ class TestIptablesWorker(TestCase):
def test_006_init(self): def test_006_init(self):
self.obj.init() self.obj.init()
self.assertEqual(self.obj.called_commands[4], self.assertEqual(self.obj.called_commands[4], [
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']]) ['-F', 'QBS-FORWARD'],
self.assertEqual(self.obj.called_commands[6], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']]) ['-A', 'QBS-FORWARD', '-j', 'DROP']])
self.assertEqual(self.obj.called_commands[6], [
['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP']])
def test_007_cleanup(self): def test_007_cleanup(self):
self.obj.init() self.obj.init()
@ -435,6 +439,7 @@ class TestNftablesWorker(TestCase):
' type filter hook forward priority 0;\n' ' type filter hook forward priority 0;\n'
' policy drop;\n' ' policy drop;\n'
' ct state established,related accept\n' ' ct state established,related accept\n'
' meta iifname != "vif*" accept\n'
' }\n' ' }\n'
'}\n' '}\n'
'table ip6 qubes-firewall {\n' 'table ip6 qubes-firewall {\n'
@ -442,6 +447,7 @@ class TestNftablesWorker(TestCase):
' type filter hook forward priority 0;\n' ' type filter hook forward priority 0;\n'
' policy drop;\n' ' policy drop;\n'
' ct state established,related accept\n' ' ct state established,related accept\n'
' meta iifname != "vif*" accept\n'
' }\n' ' }\n'
'}\n' '}\n'
]) ])